2019-01-14 - EMOTET INFECTION WITH GOOTKIT

ASSOCIATED FILES:

  • 2019-01-14-Emotet-malspam-with-attachment.eml   (205,760 bytes)
  • 2019-01-14-Emotet-infection-with-Gootkit.pcap   (13,289,241 bytes)
  • 2019-01-14-downloaded-Word-doc-with-macro-for-Emotet.doc   (107,520 bytes)
  • 2019-01-14-Emotet-binary-retreived-by-Word-macro.exe   (135,168 bytes)
  • 2019-01-14-Emotet-binary-updated-after-initial-infection.exe   (139,264 bytes)
  • 2019-01-14-Gootkit-INF-file.txt   (246 bytes)
  • 2019-01-14-Gootkit-retrieved-by-Emotet-infected-host.exe   (528,384 bytes)

 


Shown above:  A flow chart for Emotet malspam infections.

 

WEB TRAFFIC BLOCK LIST

Indicators are not a block list.  If you feel the need to block web traffic, I suggest the following URLs and domains:

 

TRAFFIC


Shown above:  Traffic from an infection filtered in Wireshark.

 

TRAFFIC FROM AN INFECTED WINDOWS HOST:

INITIAL EMOTET INFECTION TRAFFIC:

 

MALWARE

INITIAL WORD DOC:

EMOTET BINARIES:

GOOTKIT:

 

FINAL NOTES

Once again, here are the associated files:

Zip archives are password-protected with the standard password.  If you don't know it, look at the "about" page of this website.

Click here to return to the main page.